Privacy Policy 1 — The CID Collective

PERSONAL IDENTITY INFORMATION

& CONFIDENTIALITY POLICY

The CID Collective recognizes its need to maintain the confidentiality of Personal Identity Information (PII) and understands that such information is unique to each individual. The PII covered by this policy may come from various types of individuals like employees, vendors, and customers. The scope of this policy includes company requirements for the security and protection of such information throughout the company and its approved vendors both on and off work premises.

Key Elements

Personal Identity Information (PII): Unique personal identification numbers or data, including:

Social Security Numbers (or their equivalent issued by governmental entities outside the United States).

Taxpayer Identification Numbers (or their equivalent issued by governmental revenue entities outside the United States).

Employer Identification Numbers (or their equivalent issued by government entities outside the United States).

State or foreign driver’s license numbers.

Personal addresses

Date(s) of birth.

Corporate or individually held credit or debit transaction card numbers (including PIN or access numbers) maintained in organizational or approved vendor records. PII may reside in hard copy or electronic records; both forms of PII fall within the scope of this policy. Vendors: Vendors include all external providers of services to the company and include proposed vendors. No PII information can be transmitted to any vendor in any method unless the vendor has been approved for the receipt of such information. PII Retention: The CID Collective understands the importance of minimizing the amount of PII data it maintains and retains such PII only as long as necessary. Refer to the company’s Record Retention Policy, which dictates the length of data retention and data destruction methods for both hard copy and electronic records. Data Breaches/Notification: The Company will handle breach notifications(s) to all governmental agencies to whom such notice must be provided in accordance with time frames specified under these laws. Notices to affected individuals will be communicated by the owner after consultation with the Company’s attorney and within the time frame specified under the appropriate law(s). Data Access: The CID Collective has access to systems where PII data may reside; thus, user access to such systems must be limited to only those who are granted access by management. Regulatory Requirements: It is the policy of the company to comply with any international, federal or state statute and reporting regulations. If any provision of this policy conflicts with a statutory requirement of international, federal or state law governing PII, the policy provision(s) that conflict shall be superseded. Confirmation of Confidentiality: All company employees must maintain the confidentiality of PII as well as company proprietary data to which they may have access and understand that such PII is to be restricted to only those with a business need to know. The Company cannot control the information it receives from outside vendors or customers. However, all information transmissions sent by employees with PII must be encrypted.